Why Cybersecurity Incident Response Isn’t Just an IT Function

Some of the largest organizations in the world, with the most advanced security tools and highly qualified security personnel, haven’t been able to stop cybersecurity breaches. As a result, there are two realities that companies need to accept.

First, it’s almost a foregone conclusion that your business will be victimized by a breach. If a sophisticated hacker decides to target your network, they’ll figure out a way to get past your defenses. Second, the breach itself won’t determine how much damage is done. The speed and effectiveness of your company’s response to the breach will determine whether it causes a relatively minor fender bender or a full-blown wreck.

Because of the inevitability of a security breach, every organization needs an incident response plan – a documented strategy that first explains what kind of event qualifies as an incident, and then defines the process to follow to minimize the impact of the incident. The SANS Institute, a research and education organization that caters to security professionals around the world, identified the six phases of incident management: preparation, identification, containment, eradication, recovery, and lessons learned.

A 2014 study from the SANS Institute found that only 9 percent of incident response professionals believe their incident response capabilities are “very effective.” 26 percent went so far as to call their capabilities “ineffective.” 43 percent say the lack of a formal incident response plan hampers their ability to manage incidents. These findings are reinforced by the 2015 Verizon Data Breach Report. Although a hacker can compromise a network in minutes, just 45 percent of organizations can detect a breach in “days or less.”

Incident response isn’t just an IT function. The incident response team that develops and executes your plan typically involves IT, security, human resources, customer service, public relations and legal. After all, cybersecurity is as much a legal issue as a technical one. The patchwork of industry regulations and laws related to data security and privacy at the state and federal levels is difficult to navigate without an attorney.

For example, if your company is the victim of a security breach and you have customers in all 50 states, you could very well have 50 different requirements for reporting the breach and notifying your customers. And when that notification becomes public record and reporters start digging for more information, wouldn’t you rather they call your attorney?

Traditionally, an attorney would be called in to help manage the response to a cybersecurity incident, but modern threats have made an attorney a valuable resource during the planning stages. A lawyer can collaborate with representatives from other departments to develop specific processes, training and risk assessments.

Because of the growing threat of private lawsuits, your incident response plan should anticipate potential litigation. In a data breach case involving Genesco and Visa, the court denied discovery requests for reports and communications with two of Genesco’s cybersecurity consultants, ruling that the information was protected by attorney-client privilege. This decision adds another reason why companies should consider having legal counsel lead cybersecurity initiatives.

In the next post, we’ll discuss what you can do to maximize the effectiveness of your incident response plan and minimize your legal risk.